Web developers who run the content management system Joomla! are strongly encouraged to update their sites immediately.

The company on Tuesday pushed out the most recent version of the CMS, 3.6.4, fixing two critical issues that can lead to account creation and elevated privileges, according to a release update published by the Joomla! Project.

Both issues, which the company branded as high severity, were discovered earlier this month and affect versions 3.4.4 through 3.6.3.

Because of inadequate checks, the account creation bug could allow a user to register as a new user when their registration has been disabled. The elevated privileges bug also tangentially deals with registration. Because of what Joomla! refers to as “incorrectly used unfiltered data,” a new user could register on the site and be granted elevated privileges.

The update also remedies a two-factor authentication error that started popping up in the CMS last week. On Oct. 18, following the release of the previous version, 3.6.3, a handful of users who use 2FA reported on Joomla’s Github page being locked out of their websites. Users claim they were met with “Must match character set” error notifications and forced to remove 2FA via their site databases in order to gain access.

The problem stemmed from the fact that Joomla recently upgraded to a new version of FOF, or Framework on Framework, a third party rapid application development framework for the CMS. The CMS was using FOFEncryptAesMcrypt but moved to FOFEncryptAesOpenssl with the update, making the Mcrypt keys of users invalid.

In a pull request on Github, Robert Deutz, part of Joomla’s Production Leadership Team, said Joomla fixed the issue and now converts data to OpenSSL if it’s crypted with Mcrypt.

According to researchers with Sucuri, who looked into the issues on Wednesday, exploits for the vulnerabilities have been spotted in the wild.

Marc-Alexandre Montpas, a security researcher at the firm, looked at the code and crafted an exploit to test the company’s firewall. Montpas determined that an attacker could use the arbitrary account creation bug to override properties, like any groups a user may belong to; manager, author, admin, and so on. From there, it’s a short path to code execution.

“As administrators can install extension packages on their site, an attacker could use his freshly hacked administrator account to upload a remote shell on the site and further compromise the server,” Montpas warned.

This story was updated on Thursday, October 27 with statements and information from Sucuri.

Categories: Vulnerabilities, Web Security